search

Juniper / netconf-java

Java library for NETCONF
Other
76 stars 63 forks source link

Log4J bug: Version current tip of code #58

Closed senderic closed 2 years ago

senderic commented 2 years ago

(I originally wrote this in #56 , but realized it was a closed PR and probably no one will see it, Reposting here so it is a live issue)

The update from #56 - it actually has us avoid the new log4j bug

https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.12 https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

Could we get the current master tagged for v2.1.1.6 or something so its more official looking? Currently I am getting the jar from jitpack.io but referencing the hash code for the current tip of master.

Master is good (no reference to vulnerable Log4J):

esender@Escolar MINGW64 ~/Documents/RMBN/workspace/netconf-java (master) $ mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< net.juniper.netconf:netconf-java >------------------
[INFO] Building net.juniper.netconf:netconf-java 2.1.1.6-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ netconf-java ---
[INFO] net.juniper.netconf:netconf-java:jar:2.1.1.6-SNAPSHOT
[INFO] +- com.jcraft:jsch:jar:0.1.55:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.6:provided
[INFO] +- org.slf4j:slf4j-api:jar:1.7.32:compile
[INFO] +- xalan:xalan:jar:2.7.1:compile
[INFO] |  \- xalan:serializer:jar:2.7.1:compile
[INFO] |     \- xml-apis:xml-apis:jar:1.3.04:compile
[INFO] +- org.hamcrest:hamcrest-all:jar:1.3:test
[INFO] +- junit:junit:jar:4.13.1:test
[INFO] +- org.assertj:assertj-core:jar:3.9.0:test
[INFO] +- org.mockito:mockito-core:jar:3.11.2:test
[INFO] |  +- net.bytebuddy:byte-buddy:jar:1.11.3:test
[INFO] |  +- net.bytebuddy:byte-buddy-agent:jar:1.11.3:test
[INFO] |  \- org.objenesis:objenesis:jar:3.2:test
[INFO] +- commons-io:commons-io:jar:2.7:test
[INFO] +- com.google.guava:guava:jar:30.0-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:3.5.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] \- org.xmlunit:xmlunit-assertj:jar:2.8.2:test
[INFO]    \- org.xmlunit:xmlunit-core:jar:2.8.2:test
[INFO]       \- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO]          \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test

vs v2.1.1.5 which does reference Log4J:

esender@Escolar MINGW64 ~/Documents/RMBN/workspace/netconf-java ((v2.1.1.5)) $ mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< net.juniper.netconf:netconf-java >------------------
[INFO] Building net.juniper.netconf:netconf-java 2.1.1.5
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ netconf-java ---
[INFO] net.juniper.netconf:netconf-java:jar:2.1.1.5
[INFO] +- com.jcraft:jsch:jar:0.1.55:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.6:provided
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.12:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.12:compile
[INFO] |  \- log4j:log4j:jar:1.2.17:compile
[INFO] +- xalan:xalan:jar:2.7.1:compile
[INFO] |  \- xalan:serializer:jar:2.7.1:compile
[INFO] |     \- xml-apis:xml-apis:jar:1.3.04:compile
[INFO] +- org.hamcrest:hamcrest-all:jar:1.3:test
[INFO] +- junit:junit:jar:4.13.1:test
[INFO] +- org.assertj:assertj-core:jar:3.9.0:test
[INFO] +- org.mockito:mockito-all:jar:1.9.5:test
[INFO] +- org.mockito:mockito-core:jar:2.24.0:test
[INFO] |  +- net.bytebuddy:byte-buddy:jar:1.9.7:test
[INFO] |  +- net.bytebuddy:byte-buddy-agent:jar:1.9.7:test
[INFO] |  \- org.objenesis:objenesis:jar:2.6:test
[INFO] +- commons-io:commons-io:jar:2.7:test
[INFO] +- com.google.guava:guava:jar:30.0-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:3.5.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] \- org.xmlunit:xmlunit-assertj:jar:2.8.2:test
[INFO]    \- org.xmlunit:xmlunit-core:jar:2.8.2:test
[INFO]       \- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO]          \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.357 s
[INFO] Finished at: 2021-12-20T11:36:55-08:00
[INFO] ------------------------------------------------------------------------

So v2.1.1.5 contains:

[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.12:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.12:compile
[INFO] |  \- log4j:log4j:jar:1.2.17:compile

And Log4j v1.2.17 --> https://mvnrepository.com/artifact/log4j/log4j/1.2.17...

So yeah - let's make the current master a version such as 2.1.1.6 so it can be referenced in a more official looking manner on jitpack.

ydnath commented 2 years ago

Released v2.1.1.6.

Happy Holidays!